Open Flamefire opened 2 weeks ago
Thanks for the report. We will have to look into this.
@cyanezstange - please could you try to replicate the issue that has been reported, and take a quick look for anything obvious... i.e. whether the image has complex symlink structures pointing to /tmp
etc.
Another image from the same site works: https://depot.galaxyproject.org/singularity/p7zip%3A16.02
In my test of 77 images from that site I found 58 working and 19 not working.
Some working ones:
Some broken ones:
Especially the "mulled" images might be interesting as some work and some don't.
@Flamefire - thanks for the extra information. That will be useful.
I have some more: Extracting the image manually I see this:
# ll -a /img/root/var/
insgesamt 16
drwxrwxr-x 4 root root 4096 Mai 23 2014 ./
drwxr-xr-x 18 root root 4096 Mär 8 2021 ../
lrwxrwxrwx 1 root root 6 Feb 27 2014 cache -> ../tmp/
drwxrwxr-x 2 root root 4096 Feb 27 2014 lib/
lrwxrwxrwx 1 root root 6 Feb 27 2014 lock -> ../tmp/
lrwxrwxrwx 1 root root 6 Feb 27 2014 log -> ../tmp/
lrwxrwxrwx 1 root root 6 Feb 27 2014 pcmcia -> ../tmp/
lrwxrwxrwx 1 root root 6 Feb 27 2014 run -> ../tmp/
lrwxrwxrwx 1 root root 6 Feb 27 2014 spool -> ../tmp/
lrwxrwxrwx 1 root root 6 Feb 27 2014 tmp -> ../tmp/
drwxr-xr-x 2 www-data www-data 4096 Mai 23 2014 www/
So the image links all the /var
directories to /tmp
, likely such that (only the single) /tmp
can be mounted to the host
However the precreated rootfs already creates /var/tmp
: https://github.com/sylabs/singularity/blob/914126ad9897ed395b5c95ec3384eb035ef9cc6b/internal/pkg/build/sources/base_environment.go#L297-L299
Removing that line makes it work.
@Flamefire - thanks for digging. Looks like the force overwrite in the unsquashfs
extraction will not force overwrite the directory with a symlink.
Will have a think about this... we should be able to re-order some things to address it without entirely removing /var/tmp creation on images that don't have it.
I had an idea: How about removing all (empty) directories from the target where "something" is present in the image?
See #3105 which includes a test that fails on main and the result is tested against my file.
We want to tackle this in the opposite manner... extract the image first, in its entirity, and only add directories if they are missing. This should be simpler, and is already the case when building from some other types of sources.
@cyanezstange is going to be working on this in the next week or so.
@cyanezstange I looked into that proposed solution and implemented it. I added a test that verifies it and tested it against one of my files causing trouble: Extraction to a sandbox and repacking (directly) to an encrypted image works with that change.
I reported this to squashfs-tools
and it was fixed there: https://github.com/plougher/squashfs-tools/commit/31cd4d68c36531ed3a25c5fda583efcf03f4c0de
However only empty directories are removed, so it might still be worth to create the directories after extraction although my test file now works with only the patched unsquashfs.
@Flamefire - thanks for reporting upstream. We will still have to work around it in Singularity, as it will take a long time for the fix to reach distributions commonly employed in the HPC world.
True, that's the situation here. However squashfs-tools is easier to compile than singularity and you can set the unsquashfs path in the singularity configuration file which provides a nice workaround until the update is there.
Version of Singularity
singularity-ce version 4.1.4-jammy
Describe the bug
I cannot use a (certain class of) images to build from. In particular I need to encrypt existing containers for use in sensitive environments. I cannot recreate the existing container, i.e. I need to use the image file.
However the build fails with
To Reproduce
Intended command is:
singularity build --pem-path=/keys/image.pub output.img input.img
, but any build fails:Steps to reproduce the behavior:
wget -O input.img https://depot.galaxyproject.org/singularity/pigz%3A2.3.4
sudo singularity build --sandbox /tmp/img input.img
Expected behavior
Encrypted image (or sandbox folder) is created
OS / Linux Distribution
Which Linux distribution are you using? Is it up-to-date?
Linux Mint 21.3 (Ubuntu 22.04 "jammy") fully patched
Installation Method
DEB from GitHub:
singularity-ce_4.1.4-jammy_amd64.deb
Additional context
Log with --debug
Console output